How an investigation into sextortion led to discovery of a criminal underworld

Sextortion continues to be one of the most effective methods of extracting monetary value from victims, used by cyber-attackers around the world.

But according to Sophos, the crimes don’t stop at just sextortion – a recently released report reveals funds gleaned from victims led to an underbelly of criminal activity.

Sextortion is a widely used form of spam attack that accuses the recipient of visiting a pornographic website and threatens to share video evidence with their friends and family unless the recipient pays.

Researchers tracked the origin of millions of sextortion spam emails sent between September last year and February 2020 and were able to decipher what happened to the money deposited by victims.

According to Sophos, the bitcoin extorted from the scams totalled approximately US$500,000, with individual victims on average forced to pay up to $800 into attackers’ coffers.

After tracing the funds, researchers found that the extorted funds were used to support subsequent illicit activity, such as transacting with dark web marketplaces and buying stolen credit card data.

Other funds were quickly moved through a series of wallet addresses to be consolidated and put through ‘mixers’ in an attempt to launder the transactions or convert them to cash.

“Sextortion scams prey on fear and this makes them an effective way of making quick money,” says SophosLabs security researcher Tamás Kocsír, who led the research.

“Across the five months of our investigation, we saw wave after wave of attacks, often taking place over the weekend and sometimes accounting for up to a fifth of all spam tracked at SophosLabs.

“And while most recipients either didn’t open the email or didn’t pay, enough of them did to net the attackers around 50.9 bitcoin, equivalent to nearly $500,000.”

The scams exploited global botnets on compromised PCs to dispatch millions of spam emails to recipients around the world, according to Sophos.

Vietnam, Brazil, Argentina, the Republic of Korea, India, Italy, Mexico, Poland, Colombia, and Peru are the top 10 countries where these compromised computers were used to dispatch the spam messages, of which 81% were in English, 10% were in Italian, 4% were in German, 3.5% were in French, and 1.2% were in Chinese.

“Spam campaigns are relatively cheap and easy to implement, but the assumption that this means they are launched only by low-skilled, opportunistic attackers could be inaccurate,” says Kocsír.

“Our research found that some of the scam emails featured innovative obfuscation techniques designed to bypass anti-spam filters.

“Examples of this include breaking up the words with invisible random strings, inserting blocks of white garbage text, or adding words in the Cyrillic alphabet to confuse machine scanning.

“These are not beginner techniques and they are a good reminder that spam attacks of any kind should be taken seriously,” says Kocsír.

“A robust approach to cybersecurity is essential. If you are worried about becoming the target of a sextortion scam, disable or cover the camera on your computer.”